US: 1-941-4621-069
  
Cyprus: 3-572-2052-781

Go Back   ISPsystem.com Forums > ISPmanager > Troubleshooting


Reply
 
Thread Tools
Old 05-09-2008, 06:43 AM   #1
Junior Member
 
Join Date: May 2008
Posts: 3
jassinpain is on a distinguished road
Angry Rootkited

Anyone else seen this?

Hello,

I just rebuilt my server and installed the ispmanager pro version and in less then a week I a rootkit was installed on a fully updated system. In
my three years with pleask this has never happed. Also to make it
worse it appears that there must be a bug in the way resellers are
handled as those are the way they got in. Incase your wondering here
are the files I have found to clean

976 mv cat /usr/lib/libsh/.sniff/shp /tmp
977 mv /usr/lib/libsh/.sniff/shp /tmp
985 mv /usr/include/hosts.h /tmp
989 mv /usr/include/log.h
990 mv /usr/include/log.h /tmp
991 mv /usr/include/proc.h
992 mv /usr/include/proc.h /tmp
1022 mv ttyload /tmp
1025 mv ttyload /tmp/hacked/
1027 mv ttymon /tmp/hacked/
1042 mv /usr/lib/libsh/ /tmp/hacked/
1045 mv /usr/lib/libsh/ /tmp/hacked/
1050 mv /lib/libsh.so /tmp/hacked/
1053 mv /lib/libsh.so /tmp/hacked/
1076 mv /lib/libproc.a /tmp/hacked/
1084 mv /tmp/log.h /tmp/proc.h /tmp/shp /tmp/hacked/
1086 mv /usr/include/file.h /tmp/hacked/
1089 mv /lib/lidps1.so /tmp/hacked/
1105 mv /tmp/hosts.h /tmp/hacked/

[root@bella hacked]# ls -lah /tmp/hacked/
total 504K
drwxr-xr-x 4 root root 4.0K May 8 20:23 .
drwxrwxrwt 7 root root 68K May 8 20:23 ..
-rwxr-xr-x 1 jassinpain mgrreseller 56 Mar 21 2007 file.h
-rwxr-xr-x 1 jassinpain mgrreseller 86 Mar 21 2007 hosts.h
-rwxr-xr-x 1 fhs mgradmin 34K Sep 8 2000 libproc.a
drwxr-xr-x 6 root root 4.0K May 8 17:32 libsh
drwxr-xr-x 2 root root 4.0K May 8 17:32 libsh.so
-rwxr-xr-x 1 jassinpain mgrreseller 71 Mar 21 2007 lidps1.so
-rwxr-xr-x 1 jassinpain mgrreseller 28 Mar 21 2007 log.h
-rwxr-xr-x 1 jassinpain mgrreseller 89 Mar 21 2007 proc.h
---------- 1 jassinpain mgrreseller 7.5K Mar 21 2007 shp
-rwxr-xr-x 1 fhs mgradmin 208K Mar 21 2007 ttyload
-rwxrwxr-x 1 jassinpain mgrreseller 92K Mar 21 2007 ttymon
[root@bella hacked]#


[root@bella ~]# grep .5. rpmverify.txt |egrep 'bin|sbin'
S.5..UG. /usr/bin/pstree
S.5..UG. /usr/bin/find
S.5..UG. /usr/sbin/lsof

by this time I had already cleaned up find, ls, ifconfig and had to chattr them all

[root@bella RPMS]# ls -lah
total 4.7M
drwxr-xr-x 2 root root 4.0K May 8 19:49 .
drwxr-x--- 7 root root 4.0K May 8 19:48 ..
-rw-r--r-- 1 root root 3.7M Apr 3 2007 coreutils-5.97-12.1.el5.i386.rpm
-rw-r--r-- 1 root root 295K Apr 3 2007 findutils-4.2.27-4.1.i386.rpm
-rw-r--r-- 1 root root 359K Apr 3 2007 net-tools-1.60-73.i386.rpm
-rw-r--r-- 1 root root 207K Apr 3 2007 procps-3.2.7-8.1.el5.i386.rpm
-rw-r--r-- 1 root root 62K Apr 3 2007 psmisc-22.2-5.i386.rpm
-rw-r--r-- 1 root root 73K Nov 20 11:16 sysklogd-1.4.1-40.el5.i386.rpm
[root@bella RPMS]#
jassinpain is online now Add to jassinpain's Reputation Report Post Edit/Delete Message

Last edited by jassinpain; 05-09-2008 at 06:51 AM.
jassinpain is offline   Reply With Quote
Old 05-09-2008, 06:49 AM   #2
Junior Member
 
Join Date: May 2008
Posts: 3
jassinpain is on a distinguished road
Default

I should also note the passwords where randomly generated and never used as I am still testing the box from the root level. The jasspain account did not even get pass setting up a domain, it was still on the soon to come page.
jassinpain is offline   Reply With Quote
Old 05-09-2008, 09:22 AM   #3
Junior Member
 
Join Date: May 2008
Posts: 3
jassinpain is on a distinguished road
Default

found another part in the inittab
# Loading standard ttys
0:2345nce:/usr/sbin/ttyload

this is part of the junk they have running.
jassinpain is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 07:53 AM.